Virtualization Technology News and Information
Lares Research Highlights Top 5 CISO Findings
Lares released new research highlighting the Top 5 CISO Findings encountered by the firm's consultants over hundreds of client engagements in 2022.

A virtual Chief Information Officer (vCISO) serves as an external security consultant for small and midsized companies that lack their own internal CISO. Over the past year, the Lares vCISO Team uncovered several common trends while assisting clients with IT risk assessments, configuration reviews, and security program management. According to Lares research, the most commonly avoidable mistakes encountered in vCISO engagements included a lack of asset management results; vulnerabilities that are not found or patched quickly enough; blind spots due to improper logging, monitoring, and management; rampant insecure configurations; and minimal knowledge of how data flows through applications, systems, and storage.

"To properly defend their organizations, security managers need to be aware of the most prevalent issues and how to mitigate them," said Andrew Hay, Chief Operating Officer of Lares. "These issues can often lead to damaging data breaches or other malicious activities if left unaddressed."

Key Takeaways:

Lack of Asset Management Causes Serious Consequences for Businesses: Asset management systems identify and track information about an organization's physical and electronic assets. This can include physical assets such as equipment, buildings, and properties, and electronic assets such as computers and data. Other targets include intangible assets such as intellectual property and goodwill.

Assets that have not been properly managed or protected can lead to thefts or financial losses, along with higher insurance costs or even policy cancellations. Related legal problems may include copyright infringement.

Vulnerabilities Are Not Effectively Discovered or Patched Quickly Enough: One common mistake involves not scanning all systems for vulnerabilities, including the network, servers, workstations, and applications. Another concern involves not setting clear priorities for fixing those vulnerabilities. A related problem is not patching vulnerabilities in a timely way, which can open the backdoor to cyberattacks for months or even years to come.

Blind Spots Due to a Lack of Properly Defined Logging, Monitoring, and Management: Too many organizations lack full visibility into their IT assets and software systems because they do not collect logs to track when events happened within their networks, what happened, and who was involved. This lack of using logs can lead to damaging shortcomings for regulatory compliance and a heightened risk of security breaches.

Default and Insecure Configurations Still Run Rampant Throughout Organizations: Default configurations are dangerous because they are well-known by attackers and thus easy to exploit. In addition, default configurations are often not optimized for security, such as in cases in which unencrypted communications are allowed.

Minimal Knowledge of How Data Flows Through Applications, Systems, and Storage: It is critical to know where data comes from, where it goes, and what processing is done along the way. Getting a handle on these data flows can enable organizations to quickly spot anomalous security risks and implement mitigation measures. Common methods for documenting data flow information include Data Flow Diagrams (DFDs), swim-lane diagrams, activity diagrams, and process maps.

The Lares "Top 5 CISO Findings in 2022" research paper is available for download here: .

Published Wednesday, March 15, 2023 12:25 PM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<March 2023>